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Abstract 

In practical quantum key distribution, weak coherent state is often used and the channel trans- 
mittance can be very small therefore the protocol could be totally insecure under the photon- 
number-splitting attack. We propose an efficient method to verify the upper bound of the fraction 
of counts caused by multi-photon pluses transmitted from Alice to Bob, given whatever type of 
Eve's action. The protocol simply uses two coherent states for the signal pulses and vacuum for 
decoy pulse. Our verified upper bound is sufficiently tight for QKD with very lossy channel, in 
both asymptotic case and non-asymptotic case. The coherent states with mean photon number 
from 0.2 to 0.5 can be used in practical quantum cryptography. We show that so far our protocol 
is the only decoy-state protocol that really works for currently existing set-ups. 
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Unlike the classical cryptography, quantum key distribution(QKD) lj, |2j, |3( can help two 



Further, proofs for 
. The security of 



remote parties to set up the secure key by non-cloning theorem 
the unconditional security over noisy channel have been given |5| 

practical QKD with weak coherent states has also been shown PTllj. However there are still 
some limitations for QKD in practice, especially over long distance. In particular, large loss 
of channel seems to be the main challenge to the long-distance QKD with weak coherent 
states. A dephased coherent state \fie td ) is actually a mixed state of 

Pu = ^ T \^ 9 }(^ e \d6 = J2Pn(v)\n)(n\ (1) 

lit JO n 

and P n {p) = ^~^r~- Here /i is a non-negative number. In practice, especially in doing long- 
distance QKD, the channel transmittance rj can be rather small. If i] < (1 — e~ M — /ie~ M )//x, 
Eavesdropper (Eve) in principle can have the full information of Bob's sifted key by the 
photon-number-splitting (PNS) attack 10]: Eve blocks all single-photon pulses and part of 
multi-photon pulses and separates each of the remained multi-photon pulses into two parts 
therefore each part contains at least one photon. She keeps one part and sends the other 
part to Bob, through a lossless channel. 

If the channel is not so lossy, Alice and Bob can still set-up the unconditionally secure 
final key with a key ratejll| 

r = 1 — A — H{t) — (1 — A)H(t/ (1 — A)) (2) 



if we use a random classical CSS code[5j to distill the final kev|ll||. Here t is the detected 
flipping error rate, A is the fraction of tagged signals|ll|, i.e. the fraction for those counts 
in cases when Alice sends out a multi-photon pulse. The functional H(x) = —x log 2 x — (1 — 
x) log 2 (l — x). From the above formula we see that verifying a tight bound for A is the first 
important thing in QKD. 

Originally, the PNS attack has been investigated where Alice and Bob monitor only 
how many non-vacuum signals arise, and how many errors happen. However, it was then 



shown 1^] that the simple-minded method does not guarantee the final security. It is 
shown 13| that in a typical parameter regime nothing changes if one starts to monitor 
the photon number statistics as Eve can adapt her strategy to reshape the photon num- 
ber distribution such that it becomes Poissonian again. A very important method with 
decoy states was then proposed by Hwang [l^. where the unconditional verification of the 



multi-photon counting rate is given. Hwang's decoy-state method can faithfully estimate 
the upper bound of A through decoy-pulses, given whatever type of PNS attack. (Remark: 
Decoy-state method is not the only solution to the issue. An alternative method is to use 



strong refenence light 



121] .) However, Hwang's initial protocol 14] does not give a sufficiently 



tight bound. For example, in the case of /x = 0.3, by Hwang's method, the the optimized 
verified upper bound of A is 60.4%. As it has been 

m en tion edQQ, decode m e tM 
can be combined with GLLP^| to distill unconditionally secure final key. With the value 
A = 60.4%, by eq(J2J), the key rate can be rather low in practice. Following Hwang's workjl^. 
decoy-state method was then studied by Lo and co-workers [3, 16j. They proposed their 



main protocol : Try EVERY Poisson distribution of mixed states in Fock space, i.e., to test 
the counting rates of coherent states {\l^'e 10 )} with ALL possible values of /jf in one protocol. 
In such a way the counting rates of each state |^)(^| can be calculated therefore an exact 
value of A can be given. However, such a protocol seems to be inefficient in practice, because 
it requires infinite number of classes of different coherent states to work as the decoy states. 
Prior to this, an idea of using vacuum to test the dark count and using very weak coher- 
ent state as d ecoy state to verify the lower bound of single-photon transmittance had been 



shortly stated 



16J. However, as it is shown in the Appendix, given a very lossy channel, the 



number of single-photon counts of all those decoy states is much less than the dark count. 
Even a little bit fluctuation of dark count can totally destroy any meaningful estimation of 
single-photon counts. To make a meaningful estimation, the statistical fluctuation of dark 
count must be pretty small and this requires an unreasonably large number of decoy-pulses 
which request more than 14 days to produce. In summary, so far no prior art result of 
decoy-state can really work in practice. 

Here, we propose a new decoy-state protocol which is the only one that really works for 
currently existing set-ups. The protocol uses only 3 different states and the verified bound 
values are sufficiently tight for long-distance QKD. In the protocol, coherent states with 
average photon number /i, /V are used for signal pulses and vacuum is used for the decoy 
pulse. Since both /i and \il are in a reasonable range, pulses produced in both states can 
be used to distill the final key. That is to say, both of them can be regarded as the signal 
states. Our result uniquely shows that long-distance QKD with decoy states by a real-world 
protocol is possible, with a reasonable number of total pulses. 

For simplicity, we denote those pulses produced in state \^e ie ), \/i'e ie ), |0) as class Y^Y^i 
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and Yo, respectively. In the protocol 9 is randomized. Also, Alice mixes the positions of all 
pulses therefore no one but Alice knows which pulse belongs to which class in the protocol. 
They observe the counting rates of each classes and then verify the upper bounds of counts 
caused by multi-photon pulses from class Y^, Y^r, respectively. If these values are too large, 
they abandon the protocol, otherwise they go on to do key distillations using pulses from 
each class of Y^ and Y^ by GLLpjll|. 

We first define the counting rate of any state p: the probability that Bob's detector clicks 
whenever a state p is sent outby Alice. We disregard what state Bob may receive here. This 
counting rate is called as the yield in other literatures jl^. lsj ]. We denote the counting rate 
(yield) of vacuum, class Y Q , Y^, Y^ by notations s , S^, S^, respectively. These 3 parameters 
are observed in the protocol itself: After all pulses are sent out, Bob announces which pulse 
has caused a click which pulse has not caused a click. Since Alice knows which pulse belongs 
to which class, Alice can calculate the counting rates of each classes of pulses. Therefore we 
shall regard Sq, 5* m , S^' as known parameters in protocol. The value So is counting rate at 
Bob's side when Alice sends vacuum pulses. We shall also call so as the vacuum count or 
dark count rate. 

Their task is to verify the upper bound of A, the fraction of multi-photon counts among 
all counts caused by pulses in class Y^ and also the upper bound of A', the fraction of multi- 
photon counts among all counts caused by pulses in class Y^. We shall show how they can 
deduce the upper values of A, A' from the values of {s , S^, S^>}. We shall focus on A first 
and latter obtain A' based on the knowledge of A. 

For convenience, we always assume 

p! > p; p!e-v' > peT» (3) 
in this paper. A dephased coherent state \pe ld ) has the following convex form: 

p At = e^|0)(0|+ yU e^|l)(l| + cp c (4) 
and c = 1 — — pe~^ > 0, 

oo 

Pc = - Pn{p)\n)(n\. (5) 



n=2 



Similarly, state \p'e ld ) after dephasing is 



Pv ! = e-"'|0)<0| + p'e-»'\l)(l\ + c^-^- Pc + dp d (6) 

p^e f 1 



and d = 1 — e M ' — 



p'e 




> 0. prf is a density operator. (We shall only use 



the fact that d is non-negative and pd is a density operator.) In deriving the above convex 
form, we have used the fact P n (p') / '-^(/-O > Pn(p) I P%{p) f° r ah n > 2, given the conditions 
of eq.(JHJ). With these convex forms of density operators, it is equivalent to say that Alice 
sometimes sends nothing (|0)(0|), sometimes sends |1)(1|, sometimes sends p c and sometimes 
sends pd, though Alice does not know which time she has sent out which one of these states. 
In each individual sending, she only knows which class the pulse belongs to. We shall 
use notations s , s%, s c , S^, S^, for the counting rates of state |0)(0|, p c , Pn, P^ 1 -, Pd, 

respectively. Given any state p, nobody but Alice can tell whether it is from class or Y^. 
Asymptotically, we have 



and s p (p), Sp(p') are counting rates for state p from class Y^ and class Y^, respectively. 

We shall use the safest assumption that Eve also controls the the detection efficiency 
and dark count of Bob's detector. We only consider the overall transmittance including the 
channel, Bob's devices and detection efficiency. By eq.flU), we relate A with parameter s c , 
the multi-photon counting rate in class Y^ by: 



To verify the upper bound of A for pulses from class Y^ we only need to verify the upper 
bound of s c , the counting rate of mixed state p c . The task is reduced to formulating s c by 
{s , Sp, S/j,'}, which are measured directly in the protocol itself. The coherent state p^i is 
convexed by p c and other states. Given the condition of eq.(JBJ), the probability of p c in state 
p^i is larger than that in p M . Using this fact we can make a preliminary estimation of s c . 
From eq.(jnj we immediately obtain 



Sq is known, Si and Sd are unknown, but they are never less than 0. Therefore we have 



s p(v) = s p(p>') 



(7) 




(8) 



Su> = e M 's + fjfe + c— — -s c + ds d - 

p 2 e^^ 



(9) 



We can obtain Hwang's main result 




(10) 




(11) 
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Combining this equation with eq.(jSJ)we have 



A< , 2 ^ • 12 



This is just eq.(12) in ref. [14|. In the normal case that there is no Eve's attack, Alice and Bob 
will find Sfj /Sf,, = = n' / A* in there protocol therefore they they can verify A < , 

which is just eq.(13) of Hwang's work[14]. Our derivation looks significantly simpler than 
that in ref.Q- 

Having obtained the crude results above, we now show that the verification can be done 
more sophisticatedly and one can further tighten the bound significantly. In the inequality 
(JUJ), we have dropped terms s\ and Sd, since we only have trivial knowledge about s\ and Sd 
there, i.e., S\ > and Sd > 0. Therefore, inequality (jTH)) has no advantage at that moment. 
However, after we have obtained the crude upper bound of s c , we can have a larger-than-0 
lower bound for si, provided that our crude upper bound for A given by eq.tjllj) is not too 
large. From eq.(|4*]) we have 

e~"s + \Le~*s\ + cs c = S^. (13) 

With the crude upper bound for s c given by eq. lfTTj) . we have the non-trivial lower bound 
for S\ now: 

si > - e-% - cs c > 0. (14) 

The updated si will in return further tighten the upper bound of s c by eq.lfTUjl. and the 
tightened s c will again update si by eq. (|14jl and so on. After many iterations, the final 
values for s c and s\ are given by the simultaneous constraints of of inequalities fll4j) and 
(110)1 . We have the following final bound after solving them: 

Here we have used eq.flEJ). In the case of so << r], if there is no Eve., S'^/S^ = fjf/fi. Alice 
and Bob must be able to verify 

= fi (16) 



in the protocol. This is close to the real value of fraction of multi-photon counts: 1 — e M , 
given that r\ << 1. This shows that eq.(JT3J) indeed gives a rather tight upper bound. In our 



derivation, all multi-photon counts from pulses in class are due to only one mixed state, 
p c . Therefore we only need to calculate one unknown parameter, s c . However, in RefQ], 
they have considered the contribution of each Fock state and there are infinite number of 
unknown variables of {s^}. Therefore they need infinite number of different coherent states 
in their main protocol|l5| while we only need three. 

With the upper bound of s c (or, A), pulses from class can be used for key distillation 
by GLLP ll|. On the other hand, given s c , we can calculate the lower bound of s± through 
eq. ()14|) . Given s\, we can also calculate the upper bound of A', the fraction of multi-photon 
count among all counts caused by pulses from class Y^. Explicitly, 

A' < 1 - (1 - A - ^V~"' - (17) 

The values of p,, p' should be chosen in a reasonable range, e.g., from 0.2 to 0.5. To maxi- 
mize the key rate, one need to consider the quantities of transmittance, quantum bit error 
rate(QBER) and vacuum counts jointly. The optimization is not studied in this paper. 

The results above are only for the asymptotic case. In practice, there are statistical 
fluctuations, i.e., Eve. has non-negligibly small probability to treat the pulses from different 
classes a little bit differently, even though the pulses have the same state. It is insecure if 
we simply use the asymptotic result in practice. Our task remained is to verify a tight upper 
bound of A and the probability that the real value of A breaks the verified upper bound is 
exponentially close to 0. 

The counting rate of any state p in class Y^ now can be slightly different from the counting 
rate of the same state p from another class, Y^, with non-negligible probability. We shall use 
the primed notation for the counting rate for any state in class and the original notation 



for the counting rate for any state in class Y^. Explicitly, eq. (jl3H0j) are now converted to 

e~^s + pe~ fl Si + cs c = S 



Setting s' x — (1 — r x )s x for x — 1, c and s' — (1 + r )so we obtain 



(18) 



p'e" 



:i-r.)£-i 



A < fie'S^/Sn - p!e» + [(// - p)s + r lSl + r s ]/S^. (19) 



From this we can see, if p and p' are too close, A can be very large. The important question 
here is now whether there are reasonable values for p', p so that our method has significant 
advantage to the previous method[l^. The answer is yes. 



Given Ni+N 2 copies of state p, suppose the counting rate for Ni randomly chosen states is 
s p and the counting rate for the remained states is s' , the probability that s p — s' > S p is less 
than exp ( — j8 p 2 N /s p ) and N = Min(iV 1 , N 2 ). Now we consider the difference of counting 



rates for the same state from different classes, Y p and Y p >. To make a faithful estimation for 
exponentially sure, we require 5 P 2 N /s p = 100. This causes a relative fluctuation 



r >= s i-lw« (20) 

The probability of violation is less than e -25 . To formulate the relative fluctuation r 1; r c by 
s c and s\, we only need to check the number of pulses in p c , |1)(1| in each classes in the 



protocol. That is, using eq.(|2D|). we can replace r 1; r c in eq. (fTS|) by 10e M / 2 y^-^, 10y ( , v - 
respectively and N is the number of pulses in class Y^. Since we assume the case where 
vacuum- counting rate is much less than the counting rate of state p M , we omit the effect of 
fluctuation in vacuum counting, i.e., we set r = 0. With these inputs, eq.(fTSj) can now be 
solved numerically. The results are listed in the following table. From this table we can see 
that good values of p, p' indeed exist and our verified upper bounds are sufficiently tight to 
make QKD over very lossy channel. Note that so far this is the only non-asymptotic result 
among all existing works on decoy-state. From the table we can see that our non-asymptotic 
values are less than Hwang's asymptotic values already. Our verified values are rather close 
to the true values. We have assumed the vacuum count rate Sq = 10~ 6 in the calculation. 
If So is smaller, our results will be even better. Actually, the value of so (dark count) can 
be even lower than the assumed value here 3, (3 • in the real set-up given by Gobby et 



al 



17| . the light loses a half over every 15km, the devices and detection loss is 4.5% and 



So < 8.5 x 10 7 . Given these parameters, we believe that our protocol works over a distance 



longer than 120km with with p = 0.3, p' = OA 
In conclusion, following the work by Hwang 



5 and a reasonable number of total pulses. 



14j , we have proposed an efficient and feasible 



decoy-state method to do QKD over very lossy channel. The main protocol in Ref. |15| is 
impractical because it depends on infinite number of pulses. The idea stated in Ref lq 
doesn't work in practice either because it has implicitly assumed an unreasonablly large 
numbe of pulses which require more than 14 days to produce, by the currently existing 
technology. Our protocol is the only decoy-state protocol which really works with currently 
existing set-ups. The method of this paper can be further developed[19]. 

Note added: After the earlier versions of this work (quant-ph/0410075) had been 
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TABLE I: The verified upper bound of the fraction of tagged pulses in QKD. Ah is the result from 
Hwang's method. A# is the true value of the fraction of multi-photon counts in case there is no 
Eve. Ah and A# do not change with channel transmittance. A^yi is bound for pulses in class Kj, 
given that r\ = 1CP 3 . Aw2 and A' W2 are bound values for the pulses in class Y^Y^t respectively, 
given that r/ = 10 -4 . We assume so = 1CP 6 . The number of pulses is 10 10 in class Y^Y' in 
calculating Ajyi and 8 x 10 10 in calculating Avi/2,A / H/2 . 4 x 10 9 vacuum pulses is sufficient for 
class Yq. The bound values will change by less than 0.01 if the value of sq is 1.5 times larger. The 
numbers inside brackets are chosen values for //. For example, in the column of fi = 0.25, data 
30.9%(0.41) means, if we choose fi = 0.25, ^ = 0.41, we can verify A < 30.9% for class Y^. 





0.2 


0.25 


0.3 


0.35 




44.5% 


52.9% 


60.4% 


67.0% 


A R 


18.3% 


22.2% 


25.9% 


29.5% 


A W i 


23.4%(0.34) 


28.9%(0.38) 


34.4%(0.43) 


39.9%(0.45) 


Atf/2 


25.6%(0.39) 


30.9%(0.41) 


36.2%(0.45 ) 


41.5%(0.47) 





0.39 


0.41 


0.45 


0.47 


A h 


71.8% 


74.0% 


78.0% 


79.8% 




32.3% 


33.7% 


36.2% 


37.5% 


A' 


40.1% 


42.2% 


45.8% 


48.6 



presentej^J, H. K. Lo et al also presented their previously announced results in the arXiv 
( |quant-ph/04110i34l )|2li. They claim that they have for the first time made the decoy-state 
method efficiently useful in practice. We question their claim as we have shown that none 
of their previously announced protocol or idea really works in practice. If, in Refj^, their 
claim is actually based on something different from their previously announced results, since 



Ref 



2l| itself is presented later than our work 20], then at least t 



21 



ie phrase "for the first 
itself does not contain 



time" is inappropriate in their claim. To my understanding, Ref 
anything new, it is an extended version of their previously announced results. Therefore, 
not only the phrase "for the first time" in their claim is inappropriate, but also their whole 
claim is inappropriate. 



Appendix: 

In this Appendix, we give detailed demonstration that the shortly stated idea in Ref[n| 

:"On one hand, by using a vacuum as decoy state, 
Alice and Bob can verify the so called dark count rates of their detectors. On the other 
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hand, by using a very weak coherent pulse as decoy state, Alice and Bob can easily lower 
bound the yield (channel transmittance) of single-photon pulses." This is to say, there are 
two sets of decoy pulses: Set Y contains M vacuum pulses |0)(0| and set Y v contains iV 
pulses of very weak coherent state \fi v )(fi v \. They can only observe the total counts of set 
Y and the total counts of set Y v . By that idea lq . to verify a meaningful lower bound of 
si, the value fi v must be less than channel transmittance rj. For clarity, we assume zero 
dark count first. They can only observe the total counts of pulses in set Y v . In the normal 
case when there is no Eve, N decoy pulses in class Y v will cause N(l — e~ mv ) counts. 
For the security, one has no other choice but to assume the worst case that all multi- 
photon pulses have caused a count. Therefore the lower bound of single-photon counts is 
N[l — e~ mv — (1 — e~ M " — u^e"^)] = N(rjp, v — The lower bound value for si is 

verified by si > N<y ^~-^ ~ V ~ Therefore one has to request /jl v < r\ here if one 

wants to verify s\ > r]/2. Now we consider the effect caused by dark counts. Suppose, after 
observed the counts of pulses in set Y , they find that the dark count rate, so = 10~ 6 for 
set Yq. Note that the dark count rate for set Yq and the dark count rate for set Y v can be 
a little bit different due to the stastical fluctuation. Given N pulses of state \fJ, v ), there are 
Ne~^ v vacuum pulses and N(l — e _Ml ") non- vacuum pulses. Alice does not know which pulse 
is vacuum which pulse is non-vacuum. They can only observe the number of total counts 
(n t ) caused by N decoy pulses in set Y v , which is the summation of dark counts, no, the 
number of single-photon counts n\ and the number of multi-photon counts, n m , of those N 
decoy pulses in set Y v . After observed the number of total counts n t , they try to estimates 
ni by the formula n t = + ri\ + n m , with uq = Ns^e'^ and the worst-case assumption of 
n m = N(l — e~^ v — [jL v e~^" v ). The value s' Q is the dark count rate for set Y v and the value s' 
is never known exactly. They only know the approximate value, s' ~ Sq = 10~ 6 . Consider 
the case 77 = 10~ 4 . The expected value of n\ + n m is N(l — e~~ Vfl ) < 10 _8 A^. Meanwhile, 
the expected number of dark counts is around 10~ 6 iV\ Since the expected number of dark 
counts there is much larger than the expected number of n\ + n m , a little bit fluctuation of 
dark counts will totally destroy the estimation of the value n\ + n m therefore totally destroy 
the estimation of n\. To make a faithful estimation, we request the fluctuation of dark 
count to be much less than 10 _8 iV, e.g., in the magnitude order of 10 -9 iV\ This is to say, 
one must make sure that the relative fluctuation of dark counts is less than 0.1%, with a 
probability exponentially close to 1 (say, 1 — e~ 25 ). This requires N larger than 10 14 . The 
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system repetition rate is normally less than 8 x 10 7 in practice. Producing 10 14 decoy pulses 
needs more than 14 days. 
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